Oterion logo

PRIVACY POLICY

Last update: November 4, 2025
1. GENERAL PROVISIONS

1.1. This Privacy Policy is addressed to Users and other individuals using the application available at oterion.com (hereinafter referred to as: the "Application"), who conclude service agreements with the Controller as part of their business or professional activities (B2B transactions).

1.2. This Policy sets out the principles for collecting and processing personal data obtained by the Controller both during account registration in the Application and while using its functionalities, as well as at earlier stages such as form submissions or inquiries.

1.3. This Policy also applies to the processing of personal data of individuals following the Controller’s profile on linkedin.com and to persons interested in employment with the Controller.

2. PERSONAL DATA CONTROLLER

2.1. The Personal Data Controller is Oterion sp. z o.o., ul. Mogilska 35, 31-545 Kraków, Poland, KRS (National Court Register No.): 0001111726, NIP (TAX ID): PL6751800508. Additional contact details of the Controller: e-mail: info@oterion.com

2.2. You can contact the Controller regarding any privacy matters at: privacy@oterion.com

3. LEGAL BASIS FOR PERSONAL DATA PROCESSING

3.1. Your personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (GDPR).

3.2. The legal bases for processing your personal data are:

  • Consent – when you voluntarily provide data for a specific purpose (Article 6(1)(a) GDPR);
  • Performance of a contract – when processing is necessary to conclude or perform a contract, or to take steps prior to entering into it (Article 6(1)(b) GDPR);
  • Legal obligation – when processing is necessary to fulfill a legal duty incumbent on the Controller (Article 6(1)(c) GDPR);
  • Legitimate interests – when processing is necessary for the purposes of the Controller’s legitimate interests (Article 6(1)(f) GDPR).

3.3. Providing personal data under points (a) and (b) is voluntary; however, failure to provide such data may prevent the use of the Application or the provision of services.

3.4. The Controller’s legitimate interests include in particular:

  • securing and pursuing possible claims,
  • ensuring IT and data security,
  • maintaining business relationships,
  • and conducting direct marketing of services provided by the Controller (e.g., via newsletters).
4. PURPOSES AND SCOPE OF PERSONAL DATA PROCESSING

4.1. Your personal data may be processed for the following purposes:

  • to conclude and perform a contract, or to take steps prior to entering into a contract (e.g., handling inquiries, support requests, newsletter subscriptions, downloads of materials);
  • to comply with legal obligations (e.g., accounting, tax regulations);
  • to pursue legitimate interests of the Controller, including security, claims, and marketing.

4.2. The Controller may process, in particular, the following data of Clients (Application Users):
company name, first and last name of the contact person, e-mail address, phone number, tax ID, address, cookies, and IP address.

4.3. When a Client grants access to other users (e.g., employees), the Controller processes:
first and last name, job title, department, phone number, e-mail address, IP address, and cookies.

4.4. In such cases, the Controller acts as a Processor within the meaning of Article 4(8) GDPR, under a separate data processing agreement concluded with the Client.

5. SHARING PERSONAL DATA

5.1. Personal data may be shared with competent public authorities or third parties if required by law.

5.2. For the proper provision of services, data may be shared with:

  • payment operators and banks,
  • accounting and legal service providers,
  • hosting and IT service providers,
  • e-mail and marketing automation providers,
  • technical support partners.

5.3. The Controller processes data obtained directly from you.
In the case of employees or associates of the Controller’s Clients, data may also come from those Clients.

5.4. A current list of data processors is published at https://oterion.com/en/legal/subprocessors.

6. INTERNATIONAL DATA TRANSFERS AND REGIONAL PROCESSING

6.1. The Controller maintains a global identification database located in the European Union (EU) for the sole purpose of determining which regional infrastructure (e.g., EU or US) should process your account and authentication requests.

6.2. This database contains only minimal identifying information:

  • E-mail address,
  • Selected or assigned service region,
  • Account status and metadata (e.g., active, suspended, billing tier).

6.3. This data is stored securely and is not combined with any user-generated content or data processed within regional application environments. Processing is based on the Controller’s legitimate interest (Article 6(1)(f) GDPR) to ensure technical and regulatory compliance across regions.

6.4. If you subscribe to the newsletter, request product information, or submit a form via the website, your data (e.g., e-mail address, name, company) may be processed by marketing automation providers located in the United States (US).

6.5. The Controller currently uses Mailtrap and Amazon Simple Email Services (for transactional emails) and may use additional US-based tools (e.g., CRM or e-mail campaign platforms). Such transfers are covered by the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs) to ensure adequate protection. You can withdraw your consent to receive marketing communications at any time by following the unsubscribe link in emails or by contacting the Controller.

6.6. Support tickets and related correspondence are processed using tools provided by authorized Sub-processors, such as Atlassian (Jira Service Management) and Microsoft (Outlook).
These Sub-processors operate globally and may store or process data in multiple regions, depending on infrastructure availability and redundancy requirements. All such processing is carried out in compliance with applicable data protection laws and subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) or participation in the EU–U.S. Data Privacy Framework, where applicable.

In limited cases, authorized members of our support or engineering teams may require temporary access to diagnose or resolve technical issues. Such access occurs only through secure, controlled VPN connections and is strictly limited to the scope of the issue reported. All access is logged and monitored for compliance and security purposes.

6.7. Whenever personal data is transferred outside the European Union or United States of America, the Controller relies on one or more of the following safeguards:

  • The EU–US Data Privacy Framework, where applicable;
  • The European Commission’s Standard Contractual Clauses (SCCs);
  • Binding corporate rules or technical safeguards (encryption, limited access, secure transmission).

The Controller continuously reviews and updates its data transfer mechanisms to remain compliant with evolving regulatory requirements.

7. DATA PROTECTION

7.1. The Controller ensures appropriate technical and organizational measures to protect data against unauthorized access, alteration, loss, or destruction.

7.2. Personal data is:

  • processed lawfully and fairly,
  • collected for specified purposes,
  • adequate, relevant, and limited to what is necessary,
  • accurate and kept up to date,
  • stored securely and not longer than necessary.

7.3. Only authorized persons, trained in data protection and bound by confidentiality, are allowed to process personal data.

7.4. Retention periods:

  • for contract performance and legal obligations — for the duration of the contract and until the expiry of related claims;
  • for marketing purposes — until consent is withdrawn or an objection is raised;
  • for employees and authorized users — until the end of cooperation or removal by the Client.
8. RIGHTS

8.1. You have the right to request from the Controller access to your personal data, its rectification, erasure, or restriction of processing, the right to object to processing, as well as the right to data portability. You have the right to withdraw previously given consent to personal data processing at any time.

8.2. You have the right to obtain from the Controller the following information:

  • The purpose, scope, and methods of processing your personal data;
  • From when your data has been processed;
  • The source from which your data originates;
  • The recipients or categories of recipients to whom the data is disclosed.

8.3. Additionally, at your request, the Controller will supplement, update, and correct your personal data, as well as suspend (temporarily or permanently) its processing or remove it if your data proves to be incomplete, outdated, untrue, or collected in violation of the law, or is no longer necessary for the purpose for which it was collected.

8.4. Moreover, if your data is processed by the Controller for direct marketing purposes, you have the right at any time to object to the processing of your personal data for such marketing purposes, including profiling, to the extent that the processing is related to such direct marketing. To exercise the rights mentioned in this paragraph, you must submit an appropriate request to the Controller’s e-mail address.

8.5. You have the right to file a complaint with a supervisory authority if you believe that the processing of your personal data violates applicable regulations.

9. DATA CHANGES

9.1. If your personal data changes, please update it yourself in your user account or inform the Controller electronically at the Controller’s e-mail address.

10. COOKIES

10.1. The Controller states that it uses "cookies."

10.2. Cookies are information sent by a server that is stored on your device (e.g., your computer’s hard drive or your phone’s memory).

10.3. Data obtained through cookies does not enable the Controller to identify you, but it allows the Controller to determine whether the Application has been visited using a particular device (which does not mean identifying who visited the Application) and what the user’s preferences were at that time (what interested the user the most in the Application).

10.4. The Controller uses internal cookies for:

  • Ensuring the proper functioning of the Application,
  • Statistical purposes,
  • Adapting the Application to your preferences.

10.5. The Controller may place both persistent and temporary cookies on your device.

10.6. Temporary cookies are typically deleted when the browser is closed, whereas persistent cookies are not deleted when the browser is closed.

10.7. Temporary cookies are used to identify the User as logged in.

10.8. Persistent cookies ensure certain functionalities not only during the current session but also throughout their storage period on the device. Persistent cookies are used for: collecting information on how the Application is used, including which subpages are visited and any errors encountered; checking the effectiveness of the Application’s advertisements; improving the Application’s performance by recording errors; testing various stylistic variants of the Application; remembering Users’ settings regarding their preferences; and showing Users that they are logged into the Application.

10.9. The Application uses Google Analytics, which uses cookies placed on your device to create statistics regarding traffic size and usage.

10.10. The Controller uses online marketing and advertising tools to advertise the Application and its services. These tools may use cookies placed on your device.

10.11. You can delete cookies left by the Application from your device at any time following the instructions of your web browser’s manufacturer.

10.12. You can also block cookies from accessing your device by configuring your browser settings accordingly; however, in that case, the Application may not function properly.

10.13. The Controller uses a server that automatically saves information in server logs for the purpose of analyzing the IT system’s operation. These logs contain information about the device you use to connect to the Application, i.e., the type of device and browser you use, your computer’s IP address, the date and time of entry, a textual description of the event, and a classification of the event.

10.14. Only persons authorized to administer the IT system have access to log files. Log files may be used to compile statistics to assess traffic in the Application and the occurrence of errors, which do not allow for your identification.

11. FINAL PROVISIONS

11.1. In the future, it may be necessary to update the principles set out in this Privacy Policy. In that case, the Controller will inform you of any changes to the content of this Policy. The updated principles will be available on the website under which the Application is posted.